exclusive research report - keeper

© 2021 Keeper Security, Inc. | keeper.io/malpracticereport

Sponsored by Keeper Security

Exclusive Research Report

http://keeper.io/malpracticereport

WORKPLACE PASSWORD MALPRACTICE REPORT

Introduction

Poor password hygiene in the workplace was a threat to organizational cybersecurity even before the COVID-19 pandemic. When COVID-19 forced organizations worldwide to rapidly deploy and secure remote workforces, teams began connecting to organizational resources remotely, in environments that their employers did not control, many times using their own devices.

Respondents to the Ponemon Institute’s Cybersecurity in the Remote Work Era: A Global Risk Report, commissioned by Keeper Security in 2020, expressed grave concerns over password security in their organizations:

• 60% of respondents said their organizations experienced a cyberattack in the past 12 months.

• Over 50% of these attacks involved stolen credentials.

• The theft of IT assets caused $5 million or more in damages for 25% of businesses.

The pandemic pushed organizations to rapidly deploy a host of new technologies to keep remote employees connected, collaborating, and working. From Zoom to Google Workspace to Slack, employees had to sign up for yet more online accounts — and keep track of yet more passwords.

Keeper wondered how much password security had changed since companies moved to remote work environments. Were remote employees following simple best practices to secure their passwords, or were they falling prey to “password fatigue” and engaging in bad habits that lead to significant cybersecurity risks? Which is why Keeper, in partnership with Pollfish, conducted the Workplace Password Malpractice Survey.

While Ponemon surveyed organizational leaders, we decided to go straight to employees for this survey, and we queried 1,000 full-time workers in the United States about their password habits. The survey was completed in February 2021, and consisted of only individuals who used passwords to log into work-related online accounts.

Following are the most important findings from the survey. The full data can also be viewed on page 5.

Finding 1: U.S. employees are tracking & storing their login credentials insecurely

Our survey found that U.S. employees are not following best practices when storing and tracking their work-related passwords, presenting major cybersecurity risks for their employers.

• Over half of respondents (57%) admit to writing down work-related online passwords on “sticky notes”, and two-thirds (67%) admit to having lost these notes. In addition to leaving sensitive corporate information in full view of anyone else living in or visiting their home, this harms organizational efficiency. Lost sticky notes mean lost passwords, which result in help desk tickets to reset said passwords.

• 62% of respondents store login credentials in a notebook or journal, and the overwhelming majority (82%) say that they keep these notebooks next to or close to their work devices, where they can be accessed by anyone else who lives in or is visiting their home.

Using a pen and paper to keep track of passwords has become even more problematic in the remote work world. Most workers (66%) say that they’re more likely to write down work-related passwords when working from home than they are while working in the office.

2© 2021 Keeper Security, Inc.

https://www.keepersecurity.com/ponemon2020.html


Even when using digital methods to track and store their passwords, U.S. employees are engaging in poor password security practices.

• Nearly half of respondents (49%) save work-related passwords in a document in the cloud.

• Just over half (51%) say that they currently save these passwords in a document saved on their computer.

• 55% save work-related passwords on their phone.

Storing passwords in unencrypted files is extremely risky. All a cybercriminal needs to do is breach the cloud storage, computer, or mobile device, and they can access all of the employee’s passwords.

Finding 2: U.S. employees are creating weak, easily guessed passwords

A strong password consists of a random string of uppercase and lowercase letters, numerals, and special characters. However, many respondents admitted to using passwords that contain personal details, which cybercriminals can easily find on social media channels.

• Over one-third (37%) of respondents have used their employer’s name in a work-related password.

• Over one-third (34%) have used their significant other’s name or birthday.

• Nearly one-third (31%) have used their child’s name or birthday.

Password re-usage between personal and work-related accounts has become a big cybersecurity risk for companies, with 44% of respondents admitting to reusing passwords across personal and work-related accounts and 53% admitting to keeping password-protected personal accounts on their work devices.

Finding 3: U.S. employees are sharing work-related passwords with unauthorized parties

Many U.S. employees are not exercising care regarding whom they share their work-related passwords with. This puts organizations at risk of being breached should these passwords wind up in the hands of someone who is careless or who has malicious intentions.

• Over the past year, 14% of respondents have shared their work-related passwords with their significant other or spouse.

• 11% of respondents have shared work-related passwords with another family member.

Even absent a data breach, an employer could be found out of compliance, and assessed very large penalties, if it is discovered that unauthorized parties have viewed compliance-protected data.



Finding 4: U.S. employers are not doing their part to ensure that passwords are being shared securely and/or only with authorized parties

Our survey found that shared passwords in the workplace are common.

• Nearly half of respondents (46%) report that their company shares passwords for accounts that are used by multiple people.

• Over one-third (34%) have shared work-related passwords with colleagues on the same team.

• Nearly one-third (32%) have shared work-related passwords with their managers.

• 19% have shared their passwords with their executive team.

The best thing to do is to give every user a unique password for every work-related account or application, which can be practically done by utilizing the use of an Enterprise Password Management (EPM) platform. Password-sharing in the workplace is safe if the passwords are shared securely, and if passwords are shared only with unauthorized parties. Our survey results indicate that many U.S. employers are not exercising risk mitigation strategies to help ensure safe password-sharing.

• The majority of respondents (62%) report sharing a work-related password over text message or email, which could be intercepted by cybercriminals in transit.

• Nearly one-third of respondents (32%) admit to accessing an online account belonging to a previous employer, which indicates that many employers are not disabling accounts when employees leave the company.

Conclusion

Adopting and implementing an enterprise password management platform such as Keeper Enterprise would cure the password malpractice uncovered in this survey. Keeper’s zero-knowledge password encryption and zero-trust framework provides advanced password management, secure sharing, and other security capabilities. IT administrators and leaders gain complete visibility and control into employee password practices, including:

• Exclusive, proprietary zero-knowledge security model and zero-trust framework system; all data in transit and at rest is encrypted; it cannot be viewed by Keeper Security employees or any outside party.

• Rapid deployment on all devices, with no upfront equipment or installation costs.

• Personalized onboarding and 24/7 support and training from a dedicated support specialist.

• Support for RBAC, 2FA, auditing, event reporting, and multiple compliance standards, including HIPAA, DPA, FINRA, and GDPR.

• Provision secure shared folders, subfolders, and passwords for teams.

• Single Singn-On (SAML 2.0) authentication

• Enable offline vault access when SSO is not available.

• Dynamically provision vaults through SCIM.

• Configure for High Availability (HA).

• Advanced two-factor/multi-factor authentication

• Active Directory and LDP sync

• SCIM and Azure AD provisioning

• Developer APIs for password rotation and backend integration4© 2021 Keeper Security, Inc.


Survey Results



Audience DemographicsSample Size 1000

Career

Advertising

Agriculture, Forestry, Fishing & Hunting

Arts, Entertainment, or Recreation

Automotive

Broadcasting

Construction

Consulting

Education

Energy, Utilities, Oil & Gas

Fashion/Apparel

Finance & Insurance

Government & Public Admin

Health Care & Social Assistance

Homemaker

Hotel & Food Services

Human Resources

Information - Other

Information - Services & Data

Legal Services

Manufacturing - Computer & Electronics

Manufacturing - Other

Market Research

Marketing/Sales

Military

Personal Services

Processing

Publishing

Real Estate, Rental, or Leasing

Religious

Retail

Scientific or Technical Services

Security

Shipping/Distribution

Software

Telecommunications

Transportation & Warehousing

Wholesale

Other

0 50 100 150

5

5

15

16

12

21

7

7

7

4

38

9

8

140

2

1

119

3

13

13

13

2

2

2

34

35

34

48

30

80

29

10

14

88

24

24

85



12

436500

400

300

200

100

0

132

75

345

Middle School High School Vocational/ Technical College

University Post-graduate

Education

228

52

250

200

150

100

50

0

122

154

164

123 118

< $25K $25K - $49,999K

$50K - $74,999

$75K - $99,999

$100K - $124,999

$125K - $149,999

>$150K Prefer not to say

Income

Ethnicity

3

800

1000

600

400

200

80

60

40

20

0

34

5442

21

793

16 8

29

Arab Asian Black Hispanic Latino White Multiracial Other Prefer not to say



1000

1250

1000

750

500

250

0 Employed for wages

Self- Employed

Out of work & looking

Out of work & not looking

Homemaker Student Military Retired Unableto work

Other

Employment Status

200

150

100

50

08 5

232635

50 53

89101

86

190

163 171

1 2-5 6-10 11-25 26-50 51- 100

101- 250

251- 500

501-1000

1001-5000

>5000 IDK prefer not to say

Number of Employees



Organization Role

Owner or Partner

President/CEO/Chairperson

C-Level Executive

Middle Management

Chief Financial Officer

Chief Technical Officer

Senior Management

Director

HR Manager

Product Manager

Supply Manager

Project Management

Business Administrator

Supervisor

Administrative/Clerical

Craftsman

Foreman

Technical Staff

Sales Staff

Buyer/Purchasing Agent

Other non-management Staff

Prefer not to say

0 50 100 150 200

7

8

8

6

167

39

68

34

30

140

14

65

31

16

87

43

53

42

12

88

35

6



Spoken Languages

English

Spanish

Portuguese

Arabic

Azerbaijani

Bengali

Bulgarian

Chinese Simplified

Chinese Traditional

Czech

Danish

Dutch

Egyptian

Estonian

Filipino

Finnish

French

Georgian

German

Greek

Hebrew

Hindi

Hungarian

Indonesian

Italian

Japanese

Korean

Lithuanian

Norwegian

Pashto

Persian

Polish

Punjabi

Romanian

Russian

Serbian

Slovak

Swedish

0 250 500 750 1000 1250

Thai

Turkish

Ukrainian

Uzbek

1000

33

13

13

10

10

11

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

6

7

7

7

7

7

7

8

8

8

8

8

8

8

12

12



Publisher’s Choice Cybersecurity Password Management

Cutting Edge Chief Executive of the Year

Editors’ Choice 2018 & 2019

Best Product in Password Management

Best Product for SMB Cybersecurity

Publisher’s Choice for Chief Executive of the Year

Most Innovative CTO of the Year

Editors’ Choice 4.5 out of 5 stars

2020 Enterprise Leader 4.7 out of 5 stars

Spiceworks 5 out of 5 stars

Gartner Peer Insights 4.9 out of 5 stars

Best Password Manager of the Year & Editors’ Choice 2019 & 2020

Ratings & Awards

Keeper has been named PC Magazine’s Best Password Manager of the Year & Editors’ Choice, PCWorld’s Editors’ Choice for two consecutive years and is the winner of four G2 awards for Best Software and four InfoSec Award for Best Product in Password Management for SMB and Best Product for SMB Cybersecurity. Keeper is SOC-2 and ISO 27001 Certified and is listed for use by the U.S. federal government through the System for Award Management (SAM).



To download a copy of the Workplace Password Malpractice Report, infographic and more, visit our dedicated resources hub. For more information on Keeper Security, or how to defend your organization from password-related data breaches, go to keepersecurity.com.

Methodology

Keeper Security contracted with Pollfish to conduct this survey of 1,000 full time employees in the United States. Only individuals who use passwords to log into work-related online accounts were included. The survey was completed in February 2021.

About Keeper Security, Inc.

Keeper Security, Inc. (Keeper) is the highly-rated and patented cybersecurity platform for preventing password-related data breaches and cyberthreats. Keeper’s zero-knowledge security and encryption software is trusted by millions of people and thousands of businesses across the globe to mitigate the risk of cybertheft, boost employee productivity and meet compliance standards. In 2020, Keeper was named PCMag’s Best Password Manager of the Year & Editors’ Choice for the third time. Keeper has also been named PCWorld’s Editors’ Choice and is the winner of four G2 Best Software Awards and the InfoSec Award for Best Product in Password Management for SMB Cybersecurity. Keeper is SOC-2 and ISO 27001 Certified and is also listed for use by the U.S. federal government through the System for Award Management (SAM).

keepersecurity.com © 2021 Keeper Security, Inc.

http://keepersecurity.com/workplace-password-malpractice-2021.html

https://keepersecurity.com

exclusive research report - keeper

Documents